Corinna Vinschen wrote: > That sounds weird, though. It doesn't make sense. The DACL > for the token only sets the permissions for accessing the token > and not for accessing other objects. > > Hmm. > > OTOH..., if the process can't access the token it doesn't know about > it's own permissions. But why should only accessing a registry key > be affected and not accessing files?!?
I agree it doesn't make sense and it's all Microsoft's doing... By the way, do you know why LookupAccountSid() returns different values when the sid is impersonated and when it isn't. Like: In impersonated token created in a process launched by Phumblet /******************* Token User */ PHumblet WIRELESS SidTypeUser <==== ????? S-1-5-21-2127391503-1594901184-99485923-1004 <==== impersonated sid the (account) name PHumblet doesn't match the sid's username here. It would if the process was launched directly by the user (instead of being impersonated). > > The latter call is the one I added to the DuplicateTokenEx() call > to create this sort of SA with five SIDs, the current user, the > impersonated user (additional SID parameter), admins, system and > creator_owner. What you do is essentially the same as what I tried, except you put the sa, sd and dacl in a contiguous memory buffer. My code (which also didn't have any effects) was using pointers from sa to sd and from sd to the dacl (thus spread in 3 different memory blocks). > And you say that this doesn't help at all? Hmm, I will have to > debug that further. SIGH! Instead of debugging DuplicateTokenEx() it may be simpler (but less efficient) to set the sd DACL in seteuid(), after the call to ImpersonateLoggedOnUser(). That's essentially what my call is doing when NULLing the DACL (see previous mail). It would also take care of the subauthentication case. I haven't looked at that at all. > > Could you send your minimal testcase, please? Yes, but perhaps not before Monday. Pierre -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
